05/07/2014

So, another topic that got a lot of time for presentations at ACRP was "remote review of source documents". In the talks there were some misunderstandings of the requirements of HIPAA. In the US, Remember you do NOT have to De-identify a source to be reviewed remotely by the sponsor under HIPAA if the patient has signed a HIPAA Authorization before and the authorization includes what PHI is going to be used and disclosed and to whom (sponsor). Just like paper.

The minimum necessary policies within HIPAA do NOT apply to authorized disclosures. The site should provide what is needed by the predicate rules, 21 CFR part 312, 812, Original (or exact copies verified as such) Pertinent source to auditors and monitors. Of course Covered Entities are going to need to receive acceptable assurances that the info will only be used for the purposes in the authorization and that unauthorized disclosure will be avoided with adequate security measures. So faxing source probably not a secure way to do this (even direct fax to email) and not efficient with todays great technology there are other ways. Remember, once the PHI is received by the sponsor, that specific data received is not protected under the HIPAA privacy rule because it is now with a non-covered entity. So sites need assurances from sponsors how security will be upheld and that the info is only used for the purposes in the authorization and the CTA. The sponsor does not need ownership of the remote reviewed source! Why not provide remote review on a secure area that is temporary access by the sponsor. Just like paper, the sponsor only looks during that moment of time that the chart is provided. Apply ALCOA to remote monitoring of source and good security and privacy practices. Don't waist valuable time and $$, resources on unnecessary activities to support this. I think remote review can work with the right things in place.